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Abstract 

We describe an extension to tlie TLA"*" specification language with constructs for writing proofs 
and a proof environment, called the Proof Manager (PM), to checks those proofs. The language 
and the PM support the incremental development and checking of hierarchically structured proofs. 
The PM translates a proof into a set of independent proof obligations and calls upon a collection of 
QQ ' back-end provers to verify them. Different provers can be used to verify different obligations. The 

. currently supported back-ends are the tableau prover Zenon and Isabelle/TLA"*", an axiomatisation of 

' TLA"*" in Isabelle/Pure. The proof obligations for a complete TLA"*"- proof can also be used to certify 

the theorem in Isabelle/TLA"*". 

> ■ 

o . 

^ ; 1 Introduction 

(N ■ 

I , TLA is a language for specifying the behavior of concurrent and distributed systems and asserting prop- 

' erties of those systems flT]. However, it provides no way to write proofs of those properties. We have 

Q . designed an extended version of the language that allows writing proofs, and we have begun implement- 

^ 1 I ing a system centered around a Proof Manager (PM) that invokes existing automated and interactive 

' proof systems to check those proofs. For now, the new version of TLA^ is called TLA"*"^ to distinguish 

^ ■ it from the current one. We describe here the TLA+- proof constructs and the current state of the proof 

! system. 

^ I The primary goal of TLA^^ and the proof system is the mechanical verification of systems speci- 

^ ■ fications. The proof system must not only support the modal and temporal aspects of TLA needed to 

I . reason about system properties, but must also support ordinary mathematical reasoning in the underlying 

^ I logic. Proofs in TLA^^ are natural deduction proofs written in a hierarchical style that we have found to 

• ■ be good for ordinary mathematics 13 and crucial for managing the complexity of correctness proofs of 

. systems lH. 

OO ! The PM computes proof obligations that establish the correctness of the proof and sends them to one 

O ' or more back-end provers to be verified. Currently, the back-end provers are Isabelle/TLA+, a faithful 

■ axiomatization of TLA^ in Isabelle/Pure, and Zenon IH, a tableau prover for classical first-order logic 

^ , with equality. The PM first sends a proof obligation to Zenon. If Zenon succeeds, it produces an Isar 

^ I script that the PM sends to Isabelle to check. Otherwise, the PM outputs an Isar script that uses one of 

Isabelle's automated tactics. In both cases, the obligations are certified by Isabelle/TLA^ . The system 
architecture easily accommodates other back-end provers; if these are proof -producing, then we can 
use their proofs to certify the obligations in Isabelle/TLA^, resulting in high confidence in the overall 
correctness of the proof. 

The TLA^- proof constructs are described in Section |2l Section [3] describes the proof obligations 
generated by the PM, and Section |4] describes how the PM uses Zenon and Isabelle to verify them. The 
conclusion summarizes what we have done and not yet done and briefly discusses related work. 



2 TLA^ and its Proof Language 

2.1 TLA 

The TLA+ language is based on the Temporal Logic of Actions (TLA) lITOl . a linear-time temporal logic. 
The rigid variables of TLA are called constants and the flexible variables are called simply variables. 
TLA assumes an underlying ordinary (non-modal) logic for constructing expressions. Operators of that 
logic are called constant operators. A state function is an expression built from constant operators and 
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TLA constants and variables. The elementary (non-temporal) formulas of TLA are actions, which are 
formulas built with constant operators, constants, variables, and expressions of the form /', where / is 
a state function. (TLA also has an enabled operator that is used in expressing fairness, but we ignore it 
for brevity.) An action is interpreted as a predicate on pairs of states that describes a set of possible state 
transitions, where state functions refer to the starting state and primed state functions refer to the ending 
state. Because priming distributes over constant operators and because c' is equal to c for any constant 
c, an action can be reduced to a formula built from constant operators, constants, variables, and primed 
variables. 

TLA is practical for describing systems because all the complexity of a specification is in the action 
formulas. Temporal operators are essentially used only to assert liveness properties, including fairness 
of system actions. Most of the work in a TLA proof is in proving action formulas; temporal reasoning 
occurs only in proving liveness properties and is limited to propositional temporal logic and to applying 
a handful of proof rules whose main premises are action formulas. Because temporal reasoning is such 
a small part of TLA proofs, we have deferred its implementation. The PM now handles only action 
formulas. We have enough experience mechanizing TLAs temporal reasoning H to be fairly confident 
that it will not be hard to extend the PM to support it. 

A formula built from constant operators, constants, variables, and primed variables is valid iff it 
is a valid formula of the underlying logic when constants, variables, and primed variables are treated 
as distinct variables of the logic — that is, if v and v' ai^e considered to be two distinct variables of the 
underlying logic, for any TLA variable v. Since any action formula is reducible to such a formula, action 
reasoning is immediately reducible to reasoning in the underlying logic. We therefore ignore variables 
and priming here and consider only constant formulas. 

2.2 TLA+ 

The TLA"^ language adds the following to the TLA logic: 

• An underlying logic that is essentially ZFC set theory plus classical untyped first-order logic with 
Hubert's s lfT3l . The major difference between this underlying logic and traditional ZFC is that 
functions are defined axiomatically rather than being represented as sets of ordered pairs. 

• A mechanism for defining operators, where a user-defined operator is essentially a macro that is 
expanded syntactically. (TLA^ permits recursive function definitions, but they are translated to 
ordinary definitions using Hilbert's e.) 

• Modules, where one module can import definitions and theorems from other modules. A module 
is pai^ameterized by its declai^ed variables and constants, and it may be instantiated in another 
module by substituting expressions for its parameters. The combination of substitution and the 
ENABLED Operator introduces some complications, but space limitations prevent us from discussing 
them, so we largely ignore modules in this paper. 

TLA^ has been extensively documented ifTTl . Since we are concerned only with reasoning about its 
underlying logic, which is a very familiar one, we do not bother to describe TLA+ in any detail. All of 
its nonstandard notation that appears in our examples is explained. 

2.3 The Proof Language 

The major new feature of TLA^- is its proof language. (For reasons having nothing to do with proofs, 
TLA+- also introduces recursive operator definitions, which we ignore here for brevity.) We describe the 
basic proof language, omitting a few constructs that concern aspects such as module instantiation that 
we are not discussing. TLA^- also adds constructs for naming subexpressions of a definition or theorem, 
which is important in practice for writing proofs but is orthogonal to the concerns of this paper. 
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The goal of the language is to make proofs easy to read and write for someone with no knowledge of 
how the proofs are being checked. This leads to a mostly declarative language, built around the uses and 
proofs of assertions rather than around the application of proof-search tactics. It is therefore more akin 
to Isabelle/lsar ifTTI than to more operational interactive languages such as Coq's Vernacular |fT6]|. Nev- 
ertheless, the proof language does include a few operational constructs that can eliminate the repetition 
of common idioms, albeit with some loss of perspicuity. 

At any point in a TLA^ proof, there is a cunent obligation that is to be proved. The obligation 
contains a context of known facts, definitions, and declarations, and a goal. The obligation claims that 
the goal is logically entailed by the context. Some of the facts and definitions in the context are marked 
(explicitly or implicitly) as usable for reasoning, while the remaining facts and definitions are hidden. 

Proofs are structured hierarchically. The leaf (lowest-level) proof obvious asserts that the current 
goal follows easily from the usable facts and definitions. The leaf proof 

BY ei,. DEFSOl,...,0„ 

asserts that the current goal follows easily from the usable facts and definitions together with (i) the facts 
ei that must themselves follow easily from the context and (ii) the known definitions of oj. Whether a 
goal follows easily from definitions and facts depends on who is trying to prove it. For each leaf proof, 
the PM sends the coiTcsponding leaf obligation to the back-end provers, so in practice "follows easily" 
means that a back-end prover can prove it. A non-leaf proof is a sequence of steps, each consisting 
of a begin-step token and a proof construct. For some constructs (including a simple assertion of a 
proposition) the step takes a subproof, which may be omitted. The final step in the sequence simply 
asserts the current goal, which is represented by the token qed. A begin-step token is either a level token 
of the form {n) or a label of the form («)/, where n is a level number that is the same for all steps of this 
non-leaf proof, and / is an arbitrary name. The hierarchical structure is deduced from the level numbers 
of the begin-step tokens, a higher level number beginning a subproof. 

Some steps make declai^ations or definitions or change the cun^ent goal and do not require a proof. 
Other steps make assertions that become the current goals for their proofs. An omitted proof (or one 
consisting of the token omitted) is considered to be a leaf proof that instructs the assertion to be accepted 
as true. Of course, the proof is then incomplete. From a logical point of view, an omitted step is the 
same as an additional assumption added to the theorem; from a practical point of view, it doesn't have 
to be lifted from its context and stated at the start. Omitted steps are intended to be used only in the 
intermediate stages of writing a proof. 

Following a step that makes an assertion (and the step's proof), until the end of the current proof 
(after the qed step), the contexts contain that assertion in their sets of known facts. The assertion is 
marked usable iff the begin-step token is a level token; otherwise it can be referred to by its label in a by 
proof or made usable with a use step. 

The hierarchical structure of proofs not only aids in reading the finished proof but is also quite useful 
in incrementally writing proofs. The steps of a non-leaf proof are first written with all proofs but that 
of the QED step omitted. After checking the proof of the qed step, the proofs omitted for other steps 
in this or earlier levels are written in any order. When writing the proof, one may discover facts that 
are needed in the proofs of multiple steps. Such a fact is then added to the proof as an earlier step, or 
added at a higher level. It can also be removed from the proof of the theorem and proved separately as a 
lemma. However, the hierarchical proof language encourages facts relevant only for a particular proof to 
be kept within the proof, making the proof's structure easier to see and simplifying maintenance of the 
proof. For correctness proofs of systems, the first few levels of the hierarchy are generally determined by 
the structure of the formula to be proved — for example, the proof that a formula implies a conjunction 
usually consists of steps asserting that it implies each conjunct. 
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As an example, we incrementally construct a hierarchical proof of Cantor's theorem, which states 
that there is no surjective function from a set to its powerset. It is written in TLA^ as: 

THEOREM : V/ € [5 — » SUBSET 5 ] : 3A € SUBSET S : Vx € 5 : f[x] + A 

where function application is written using square brackets, subset S is the powerset of S , and [5 — > T] 
is the set of functions from 5 to T. 

The statement of the theorem is the current goal for its top-level proof. A goal of the form Vv : e 
is proved by introducing a generic constant and proving the formula obtained by substituting it for the 
bound identifier. We express this as follows, using the assume/prove construct of TLA^^: 

THEOREM : V/ € [5 — > SUBSET 5 ] : 3A € SUBSET S : Vx G 5 ; f\x\ + A 
(1)1. ASSUME NEW 5, 

NEW / € [5 — » SUBSET S ] 

PROVE 3A e SUBSET 5 : Vx e 5 : /[x] + A 

<1)2. QED BY (1)1 

Although we could have used labels such as {l}one and {\)last instead of (1)1 and (1)2, we have found 
that proofs are easier to read when steps at the same level are labeled with consecutive numbers. One 
typically starts using consecutive step numbers and then uses labels like (3)2a for inserting additional 
steps. When the proof is finished, steps are renumbered consecutively. (A planned user interface will 
automate this renumbering.) 

Step (1)1 asserts that for any constants S and / with / e [5 — > subset 5], the proposition to the right 
of the PROVE is true. More precisely, the current context for the (as yet unwritten) proof of (1)1 contains 
the declarations of S and / and the usable fact / e [5 — > subset S], and the prove assertion is its goal. 
The QED step states that the original goal (the theorem) follows from the assertion in step (1)1. 

We tell the PM to check this (incomplete) proof, which it does by having the back-end provers verify 
the proof obligation for the qed step. The verification succeeds, and we now continue by writing the 
proof of (1)1. (Had the verification failed because (1)1 did not imply the current goal, we would have 
caught the eiTor before attempting to prove (1)1, which we expect to be harder to do.) 

We optimistically start with the proof obvious, but it is too hard for the back-end to prove, and the 
PM reports a timeout. Often this means that a necessary fact or definition in the context is hidden and 
we merely have to make it usable with a use step or a by proof. In this case we have no such hidden 
assumptions, so we must refine the goal into simpler goals with a non-leaf proof. We let this proof have 
level 2 (we can use any level greater than I). Since the goal itself is existentially quantified, we must 
supply a witness. In this case, the witness is the classic diagonal set, which we call T. 

(1)1. ASSUME NEW S , 

NEW / € [5 SUBSET S ] 

PROVE 3A E SUBSET S ."ix^S : fix} + A 

(2)1. DEFINE r = {zE 5 -.ZiflzW 

{2)2. -ixeS: f[x] + T 

(2)3. QED BY (2)2 

Because definitions made within a proof are usable by default, the definition of T is usable in the proofs 
of (2)2 and (2)3. Once again, the proof of the qed step is automatically verified, so all that remains is to 
prove (2)2. (The define step requires no proof.) 

The system accepts obvious as the proof of (2)2 because the only difficulty in the proof of (1)1 is 
finding the witness. However, suppose we want to add another level of proof for the benefit of a human 
reader. The universal quantification is proved as above, by introducing a fresh constant: 
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(2)2. Vx 6 5 : f[x\ + T 

(3)1. ASSUME NEW XES PROVE f{x\ + T 
(3)2. QED BY (3)1 

Naturally, the qed step is verified. Although the system accepts obvious as the proof of (3)1 (remember 
that it could verify (2)2 by itself), we can provide more detail with yet another level of proof. We write 
this proof the way it would seem natural to a person — by breaking it into two cases: 

(3)1. ASSUME NEW X € 5 PROVE /[x] + T 
(4)1. CASEX€r 

(4)2. CASE xiT 

(4)3. QED BY (4)1,(4)2 

The (omitted) proof of the case statement (4)1 has as its goal f[x] i= T and has the additional usable fact 
;c e r in its context. 

We continue refining the proof in this way, stopping with an obvious or by proof when a goal is obvi- 
ous enough for the back-end prover or for a human reader, depending on who the proof is being written 
for. A BY statement can guide the prover or the human reader by listing helpful obvious consequences of 
known facts. For example, the proof of (4)1 might be by x i f\x\. The proof is now finished: it contains 
no omitted sub-proofs. For reference, the complete text of the proof is given in Appendix |B] 

Our experience writing hand proofs makes us expect that proofs of systems could be ten or more 
levels deep, with the first several levels dictated by the structure of the property to be proved. Our method 
of numbering steps makes such proofs manageable, and we are not aware of any good alternative. 

This example illustrates how the proof language supports the hierarchical, non-linear, and incremen- 
tal development of proofs. The proof writer can work on the most problematic unproved steps first, 
leaving the easier ones for later. Finding that a step cannot be proved (for example, because it is invalid) 
may require changing other steps, making proofs of those other steps wasted effort. We intend to provide 
an interface to the PM that will make it easy for the user to indicate which proofs should be checked and 
will avoid unnecessarily rechecking proofs. 

The example also shows how aheady-proved facts are generally not made usable, but are invoked 
explicitly in by proofs. Global definitions are also hidden by default and the user must explicitly make 
them usable. This makes proofs easier to read by telling the reader what facts and definitions are being 
used to prove each step. It also helps constrain the search space for an automated back-end prover, 
leading to more efficient verification. Facts and definitions can be switched between usable and hidden 
by USE and hide steps, which have the same syntax as by. As noted above, omitting the label from a step's 
starting token (for example, writing (4) instead of (4)2) makes the fact it asserts usable. This might be 
done for compactness at the lowest levels of a proof. 

The example also indicates how the current proof obligation at every step of the proof is clear, having 
been written explicitly in a parent assertion. This clear structure comes at the cost of introducing many 
levels of proof, which can be inconvenient. One way of avoiding these extra levels is by using an assertion 
of the form suffices A, which asserts that proving A proves the current goal, and makes A the new current 
goal in subsequent steps. In our example proof, one level in the proof of step (2)2 can be eliminated by 
writing the proof as: 

(2)2. Vx e 5 : /[x] + T 

(3)1. SUFFICES ASSUME NEW X £ 5 PROVE /[x] it J 
PROOF OBVIOUS 

(3)2. CASE xeT 
(3)3. CASE x^T 
(3)4. QED BY (3)2, (3)3 
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where the proofs of the case steps are the same as before. The suffices statement changes the current goal 
of the level-3 proof to f[x] T after adding a declaration of x and the usable fact xeS to the context. 
This way of proving a universally quantified formula is sufficiently common that TLA^- provides a take 
construct that allows the suffices assertion (3)1 and its obvious proof to be written take xeS . 

There is a similar construct, witness f eS for proving an existentially quantified goal 3x e S : e, 
which changes the goal to e[x :- f]. For implicational goals e => /, the construct have e changes the goal 
to /. No other constructs in the TLA^- proof language change the form of the current goal. We advise 
that these constructs be used only at the lowest levels of the proof, since the new goal they create must 
be derived instead of being available textually in a parent assertion. (As a check and an aid to the reader, 
one can at any point insert a redundant suffices step that simply asserts the current goal.) 

The final TLA"^- proof construct is pick x : e, which introduces a new symbol x that satisfies e. The 
goal of the proof of this pick step is 3x : e, and it changes the context of subsequent steps by adding a 
declaration of x and the fact e. A more formal summary of the language appears in Appendix lAl 

The semantics of a TLA^^ proof is independent of any back-end prover. Different provers will have 
different notions of what "follows easily", so an obvious proof may be verified by one prover and not 
another. In practice, many provers such as Isabelle must be directed to use decision procedures or spe- 
cial tactics to prove some assertions. For this purpose, special standard modules will contain dummy 
theorems for giving directives to the PM. Using such a theorem (with a use step or by proof) will cause 
the PM not to use it as a fact, but instead to generate special directives for back-end provers. It could 
even cause the PM to use a different back-end prover. (If possible, the dummy theorem will assert a 
true fact that suggests the purpose of the directive.) For instance, using the theorem Arithmetic might be 
inteipreted as an instruction to use a decision procedure for integers. We hope that almost all uses of this 
feature will leave the TLA^^ proof independent of the back-end provers. The proof will not have to be 
changed if the PM is reconfigured to replace one decision procedure with a different one. 

3 Proof Obligations 

The PM generates a separate proof obligation for each leaf proof and orchestrates the back-end provers 
to verify these obligations. Each obligation is independent and can be proved individually. If the system 
cannot verify an obligation within a reasonable amount of time, the PM reports a failure. The user 
must then determine if it failed because it depends on hidden facts or definitions, or if the goal is too 
complex and needs to be refined with another level of proof. (Hiding facts or definitions might also help 
to constrain the search space of the back-end provers.) 

When the back-end provers fail to find a proof, the user will know which obligation failed — that is, 
she will be told the obligation's usable context and goal and the leaf proof from which it was generated. 
We do not yet know if this will be sufficient in practice or if the PM will need to provide the user with 
more information about why an obligation failed. For example, many SAT and SMT solvers produce 
counterexamples for an unprovable formula that can provide useful debugging information. 

The PM will also mediate the certification of the TLA"^- theorem in a formal axiomatization of TLA"^- 
in a trusted logical framework, which in the cuiTcnt design is Isabelle/TLA+ (described in Section l42l ). 
Although the PM is designed generically and can support other similar frameworks, for the rest of this 
paper we will Hmit our attention to Isabelle/TLA^. Assuming that Isabelle/TLA+ is sound, once it has 
certified a theorem we know that an eiTor is possible only if the PM incoiTcctly translated the statement 
of the theorem into Isabelle/TLA^. 

After certifying the proof obligations generated for the leaf proofs, called the leaf obligations, cer- 
tification of the theorem itself is achieved in two steps. First, the PM generates a structure lemma (and 
its Isabelle/TLA''" proof) that states simply that the collection of leaf obligations implies the theorem. 
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Then, the PM generates a proof of the theorem using the akeady-certified obhgations and structure 
lemma. If Isabelle accepts that proof, we are assured that the translated version of the theorem is true in 
Isabelle/TLA^, regardless of any errors made by the PM. 

Of course, we expect the PM to be correct. We now explain why it should be by describing how 
it generates the leaf obligations from the proof of a theorem. (Remember that we are considering only 
TLA^^ formulas with no temporal operators.) Formally, a theorem in TLA^- represents a closed proof 
obligation in the TLA"*"^ meta-logic of the form (F ih e), where F is a context containing all the dec- 
larations, definitions, facts (previous assumptions or theorems) and the assumptions introduced in the 
theorem using an assume clause (if present), and e is a TLA^- formula that is the goal of the theorem. 

A closed obligation (F ih e) is true if e is entailed by F in the formal semantics of TLA"*" iHTI . It is 
said to be provable if we have a proof of e from F in Isabelle/TLA^. Because we assume Isabelle/TLA^ 
to be sound, we consider any provable obligation to be true. A claim is a sentence of the form tt : (F ih e), 
where tt is a TLA^^ proof. This claim represents the verification task that tt is a proof of the proof 
obligation (F ih e). The PM generates the leaf obligations of a claim by recursively traversing its proof, 
using its structure to refine the obligation of the claim. For a non-leaf proof, each proof step modifies 
the context or the goal of its obligation to produce an obligation for its following step, and the final qed 
step proves the final form of the obligation. More precisely, every step defines a transformation, written 
o". T : (F Ih e) — > (A ih /), which states that the input obligation (F Ih e) is refined to the obligation (A ih /) 
by the step cr. r. A step is said to be meaningfiil if the input obligation matches the form of the step. (An 
example of a meaningless claim is one that involves a take step whose input obligation does not have a 
universally quantified goal.) A claim is meaningful if every step in it is meaningful. 

The recursive generation of leaf obligations for meaningful claims and transformations is specified 
using inference rules, with the interpretation that the leaf obligations generated for the claim or transfor- 
mation at the conclusion of a rule is the union of those generated by the claims and transformations in 
the premises of the rule. For example, the following rule is applied to generate the leaf obligations for a 
claim TT : (F Ih e) when tt is a sequence of n steps, for n > 1. 

CTi.Ti : (F Ih e) — > (A ih /) :(A Ih/) 

CTi.Ti 0-2.T2 ■■■ 0-„.Tn : (F Ih e) 

The leaf obligations of the claim in the conclusion are the union of those of the claim and transformation 
in the premises. As an example of leaf obligations generated by a transformation, here is a rule for the 
step cr. T where cr is the begin-step level token (n) and t is the proposition p with proof n. 

Ti- : (F, [-.e] ih p) 

(n) . p PROOF ;r : (F Ih e) — > (F,p Ih e) 

The rule concludes that the refinement in this step is to add p to the context of the obligation, assuming 
that the sub-proof n is able to establish it. The leaf obligations generated by this transformation are the 
same as those of the claim in the premise of the rule. The goal e is negated and added to the context 
as a hidden fact (the square brackets indicate hiding). We can use -le in a by proof or use statement, 
and doing so can simplify subproofs. (Because we are using classical logic, it is sound to add -te to the 
known facts in this way.) The full set of such rules for every construct in the TLA^- proof language is 
given in appendix lAl 

A claim is said to be complete it its proof contains no omitted subproofs. Starting from a complete 
meaningful claim, the PM first generates its leaf obligations and filters the hidden assumptions from 
their contexts. (Filtration amounts to deleting hidden facts and replacing hidden operator definitions with 
declarations.) The PM then asks the back-end provers to find proofs of the filtered obligations, which are 
used to certify the obligations in Isabelle/TLA^. The PM next writes an Isar proof of the obligation of the 
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complete meaningful claim that uses its certified filtered leaf obligations. The following meta-theorem 
(proved in Appendix I A.4I ) ensures that the PM can do this for all complete meaningful claims. 

Theorem 1 (Structural Soundness Theorem). Ifn : (F ih e) is a complete meaningful claim and every leaf 
obligation it generates is provable after filtering hidden assumptions , then (F ih e) is provable. 

Isabelle/TLA+ then uses this proof to certify the obligation of the claim. From the assumptions that the 
Isabelle/TLA^ axiomatization is faithful to the semantics of TLA^^ and that the embedding of TLA^- into 
Isabelle/TLA^ is sound, it follows that the obligation is true. 

4 Verifying Proof Obligations 

Once the PM generates the leaf obUgations, it must send them to the back-end provers. The one non- 
obvious part of doing this is deciding whether definitions should be expanded by the PM or by the 
prover. This is discussed in Section |4TT] We then describe the state of our two current back-end provers, 
Isabelle/TLA+ and Zenon. 

4.1 Expanding Definitions 

Expansion of usable definitions cannot be left entirely to the back-end prover. The PM itself must do it 
for two reasons: 

• It must check that the current goal has the right form for a take, witness, or have step to be 
meaningful, and this can require expanding definitions. 

• The encoding of TLA^ in the back-end prover's logic would be unsound if a modal operator like 
prime (') were encoded as a non-modal operator. Hence, encoding a definition like 0{x) = x' as an 
ordinary definition in the prover's logic would be unsound. All instances of such operators must 
be removed by expanding their definitions before a leaf obligation is sent to the back-end prover. 
Such operator definitions seldom occur in actual TLA^ specifications, but the PM must be able to 
deal with them. 

Another reason for the PM to handle definition expansion is that the Isabelle/TLA^ object logic does 
not provide a direct encoding of definitions made within proofs. We plan to reduce the amount of 
trusted code in the PM by lambda-lifting all usable definitions out of each leaf obligation and introducing 
explicit operator definitions using Isabelle's meta equality (=). These definitions will be expanded before 
interacting with Isabelle. 

4.2 Isabelle/TLA+ 

The core of TLA^- is being encoded as a new object logic Isabelle/TLA^ in the proof assistant Is- 
abelle |[T4i . One of Isabelle's distinctive features that similar proof assistants such as Coq |[T6i or 
HOL Q [U lack is genericity with respect to different logics. The base system Isabelle/Pure provides 
the trusted kernel and a framework in which the syntax and proof rules of object logics can be defined. 
We have chosen to encode TLA"*"^ as a separate object logic rather than add it on top of one of the ex- 
isting logics (such as ZF or HOL). This simplifies the translation and makes it easier to interpret the 
enor messages when Isabelle fails to prove obligations. A strongly typed logic such as HOL would have 
been unsuitable for representing TLA^^ which is untyped. Isabelle/ZF might seem like a natural choice, 
but differences between the way it and TLA^ define functions and tuples would have made the encod- 
ing awkward and would have prevented us from reusing existing theories. Fortunately, the genericity 
of Isabelle helped us not only to define the new logic, but also to instantiate the main automated proof 
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methods, including rewriting, resolution- and tableau provers, and case-based and inductive reasoning. 
Adding support for more specialized reasoning tools such as proof-producing SAT solvers ||5l or SMT 
solvers such as haRVey Q will be similarly helped by existing generic interfaces. 

The current encoding supports only a core subset of TLA^^, including propositional and first-order 
logic, elementary set theory, functions, and the construction of natural numbers. Support for arithmetic, 
strings, tuples, sequences, and records is now being added; support for the modal part of TLA^' (vari- 
ables, priming, and temporal logic) will be added later. Nevertheless, the existing fragment can already 
be used to test the interaction of the PM with Isabelle and other back-end provers. As explained above, 
Isabelle/TLA+ is used both as a back-end prover and to check proof scripts produced by other back-end 
provers such as Zenon. If it turns out to be necessary, we will enable the user to invoke one of Isabelle's 
automated proof methods (such as auto or blast) by using a dummy theorem, as explained at the end 
of Section 1231 If the method succeeds, one again obtains an Isabelle theorem. Of course, Isabelle/TLA^ 
can also be used independently of the PM, which is helpful when debugging tactics. 



4.3 Zenon 

Zenon Q is a tableau prover for classical first-order logic with equality that was initially designed to 
output formal proofs checkable by Coq |[T6l . Zenon outputs proofs in an automatically-checkable format 
and it is easily extensible with new inference rules. One of its design goals is predictability in solving 
simple problems, rather than high performance in solving some hard problems. These characteristics 
make it well-suited to our needs. 

We have extended Zenon to output Isai^ proof scripts for Isabelle/TLA^ theorems, and the PM uses 
Zenon as a back-end prover, shipping the proofs it produces to Isabelle to certify the obligation. We have 
also extended Zenon with direct support for the TLA^^ logic, including definitions and rules about sets 
and functions. Adding support in the form of rules (instead of axioms) is necessary because some rules 
are not expressible as first-order axioms, notably the rules about the set constructs: 

eeS P[x :^ e] 3y e S : e ^ d[x :^ y] 

; — — — subsetOf — — setOfAll 



Even for the rules that are expressible as first-order axioms, adding them as rules makes the proof search 
procedure much more efficient in practice. The most important example is extensionality: when set 
extensionality and function extensionality are added as axioms, they apply to every equality deduced by 
the system, and pollute the search space with large numbers of irrelevant formulas. By adding them as 
rules instead, we can use heuristics to apply them only in cases where they have some chance of being 
useful. 

Adding support for arithmetic, strings, tuples, sequences, and records will be done in parallel with the 
corresponding work on Isabelle/TLA^ , to ensure that Zenon will produce proof scripts that Isabelle/TLA^ 
will be able to check. Temporal logic will be added later. We also plan to interface Zenon with Isabelle, 
so it can be called by a special Isabelle tactic the same way other tools are. This will simplify the PM by 
giving it a uniform interface to the back-end provers. It will also allow using Zenon as an Isabelle tactic 
independently of TLA^. 



5 Conclusions and Future Work 

We have presented a hierarchically structured proof language for TLA"*". It has several important features 
that help in managing the complexity of proofs. The hierarchical structure means that changes made 
at any level of a proof are contained inside that level, which helps construct and maintain proofs. Leaf 
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proofs can be omitted and the resulting incomplete proof can be checked. This allows different parts 
of the proof to be written separately, in a non-linear fashion. The more traditional linear proof style, in 
which steps that have not yet been proved can be used only if explicitly added as hypotheses, encourages 
proofs that use many separate lemmas. Such proofs lack the coherent structure of a single hierarchical 
proof. 

The proof language lets the user freely and repeatedly make facts and definitions usable or hidden. 
Explicitly stating what is being used to prove each step makes the proof easier for a human to understand. 
It also aids a back-end prover by limiting its search for a proof to ones that use only necessary facts. 

There are other declarative proof languages that are similar to TLA^^ Isar ifTTl is one such language, 
but it has significant differences that encourage a different style of proof development. For example, it 
provides an accumulator facility to avoid explicit references to proof steps. This is fine for short proofs, 
but in our experience does not work well for long proofs that are typical of algorithm verification that 
TLA^- targets. Moreover, because Isabelle is designed for interactive use, the effects of the Isar proof 
commands are not always easily predictable, and this encourages a linear rather than hierarchical proof 
development style. The Focal Proof Language III is essentially a subset of the TLA+- proof language. 
Our experience with hierarchical proofs in Focal provides additional confidence in the attractiveness of 
our approach. We know of no declarative proof language that has as flexible a method of using and 
hiding facts and definitions as that of TLA^^. 

The PM transforms a proof into a collection of proof obligations to be verified by a back-end prover. 
Its cuiTcnt version handles proofs of theorems in the non-temporal fragment of TLA^ that do not involve 
module instantiation (importing of modules with substitution). Even with this limitation, the system 
can be useful for many engineering applications. We are therefore concentrating on making the PM 
and its back-end provers handle this fragment of TLA^ effectively before extending them to the complete 
language. The major work that remains to be done on this is to complete the Zenon and Isabelle inference 
rules for reasoning about the built-in constant operators of TLA^. There are also a few non-temporal 
aspects of the TLA"^^ language that the PM does not yet handle, such as subexpression naming. We 
also expect to extend the PM to support additional back-end provers, including decision procedures for 
arithmetic and for propositional temporal logic. 

We do not anticipate that any major changes will be needed to the TLA^- proof language. We do 
expect some minor tuning as we get more experience using it. For example, we are not sure whether 
local definitions should be usable by default. A graphical user interface is being planned for the TLA^ 
tools, including the PM. It will support the non-linear development of proofs that the language and the 
proof system allow. 
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A Details of the PM 



We shall now give a somewhat more formal specification of the PM and prove the key Structural Sound- 
ness Theorem [U We begin with a quick summary of the abstract syntax of TLA^- proofs, ignoring the 
stylistic aspects of their concrete representation. (See |[T2| for a more detailed presentation of the proof 
language.) 

Definition 2 (TLA^^ Proof Language). TLA^^ proofs, non-leaf proofs, proof steps and begin-step tokens 
have the following syntax, where n ranges over natural numbers, I over labels, e over expressions, O over 
lists of expressions, o over operator definitions, *F over sets of operator names, over lists of binders 
(i.e., constructs of the form x and xee used to build quantified expressions), and a over expressions or 

ASSUME . . . PROVE/orWI5. 



(Proofs) n 
(Non-leaf proofs) IT 

(Proof steps) t 



(Begin-step tokens) cr 



OBVIOUS I OMITTED | BY O DEES ^ | 11 
cr. QED PROOE TT 

o-.T n 

USE O DEES Y I HIDE O DEES ^ | DEEINE O 
HAVE e I TAKE \ WITNESS <1> 

a PROOE n I suEFicES a proof n \ pick /? : e prooe n 
(n) I {n)l 
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A proof that is not a non-leaf proof is called a leaf proof The level numbers of a non-leaf proof must all 
be the same, and those in the subproof of a step (that is, the n in a proof n, etc.) must be strictly greater 
than that of the step itself. 

A.l The Meta-Language 

The PM uses proofs in the TLA^- proof language (Definition |2l) to manipulate constructs in the meta- 
language of TLA+-. This meta-language naturally has no representation in TLA+- itself; we define its 
syntax formally as follows. 

Definition 3 (Meta-Language). The TLA^- meta-language consists of obligations, assumptions and de- 
finables with the following syntax, where e ranges over TUt^ expressions, x and o over TUt^ identifiers, 
and X over lists of TLP^^ identifiers. 

(Obligations) (p ::= (/ji, . . . ih e) (n>0) 
(Assumptions) h ::= new;c \ o ^ 6 \ cf) \ [o - 5] | [0] 
(Definables) 6 ::= cp \ lamsokx-.c 

The expression after Ih in an obligation is called its goal. An assumption written inside square brackets 
[ ] is said to be hidden,- otherwise it is usable. For any assumption h, we write h (read: h made usable j to 
stand for h with its brackets removed if it is a hidden assumption, and to stand for h if it is not hidden. A 
list of assumptions is called a context, with the empty context written as-; we let Y, A and Q. range over 
contexts, with F, A standing for the context that is the concatenation ofY and A. The context Y is Y with 
all its hidden assumptions made usable. The obligation (• ih e) is written simply as e. The assumptions 
NEW X, o = 6 and [o = 6\ bind the identifiers x and o respectively. We write x ^Y if x is bound in Y and 
x^Y if X is not bound in Y. The context Y,h is considered syntactically well-formed iffh does not bind 
an identifier already bound in Y. 

An obligation is a statement that its goal follows from the assumptions in its context. TLA^- already de- 
fines such a statement using assume . . . prove, but the contexts in such statements have no hidden assump- 
tions or definitions. (To simplify the presentation, we give the semantics of a slightly enhanced proof 
language where proof steps are allowed to mention obligations instead of just TLA^^ assume . . . prove 
statements.) We define an embedding of obligations into Isabelle/TLA+ propositions, which we take as 
the ultimate primitives of the TLA^^ meta-logic. 

Definition 4. The Isabelle/TU^ embedding (-)isa of obligations, contexts and definables is as follows: 



For example, (newP, [(new;c ih P{x)y] ih Sx : P{x)\^ = /\P- (A Pi^)) ^ ■ Pi^)- Note that usable 
and hidden assumptions are treated identically for the provability of an obligation. 

The embedding of ordinary TLA^' expressions is the identity because Isabelle/TLA^ contains TLA^' 
expressions as part of its object syntax. Thus, we do not have to trust the embedding of ordinary TLA^- 
expressions, just that of the obligation language. In practice, some aspects of TLA^- expressions, such 
as the indentation-sensitive conjunction and disjunction lists, are sent by the PM to Isabelle using an 
indentation-insensitive encoding.While Isabelle/TLA^ can implicitly generalize over the free identifiers 
in a lemma, we shall be explicit about binding and consider obligations provable only if they are closed. 



(lambda X : = Ax. e 



(Flhe)isa ^ (F)isa«' 




(Olsa A-^- 
(Olsa Ao.(o 
(Olsa ((0)lsa) 



Wisa) 
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Definition 5 (Well-Formed Obligations). The obligation (F ih e) is said to be well-formed ijfit is closed 
and (F ih e)i^^ is a well-typed proposition of Isabelle/TLA^ . 

Definition 6 (Provability). The obligation (F ih e) is said to be provable iff it is well-formed and (F ih e)jsa 
is certified by the Isabelle kernel to follow from the axioms of the Isabelle/TLA^ object logic. 

We trust Isabelle/TLA+ to be sound with respect to the semantics of TLA^', and therefore provability to 
imply truth. Formally, we work under the following trust axiom. 

Axiom 7 (Trust). If cp is provable, then it is true. 

We state a number of useful facts about obligations (which are all theorems in Isabelle/TLA^), omitting 
their trivial proofs. The last one (FactfOl) is true because TLA^ is based on classical logic. 

Fact 8 (Definition). If (T, new o, A ih e) is provable, then (F,o = 6,A\\- e) is provable if it is well-formed. 

Fact 9 (Weakening). If(Y,A \\- e) is provable, then (F,/i, A ih e) is provable if it is well-formed. 

Fact 10 (Expansion). If(T,o ^ 6,A.\\- e) is provable, then (F,o ^ 6,/S.{o :- 6] \\- e[o := 6]) is provable. 

Fact 11 (Strengthening). If (F, new o, A ih e) or (F,o = d,A\\- e) is provable and o is not free in (A ih e), 
then (F, A ih e) is provable. 

Fact 12 (Cut). If(Y,A ih e) is provable and (F,(A \\- e) ,D.\\- f) is provable, then (F,Q Ih /) is provable. 
Fact 13. If(X, -^e,A \\- e) is provable, then (F, A ih e) is provable. 

The usE/moE defs steps change the visibility of definitions in a context (Definition [l4]below). Note that 
changing the visibility of a definition does not affect the provability of an obligation because the Isabelle 
embedding (Definition |4l) makes all hidden definitions usable. 

Definition 14. If Y is a context and *P a set of operator names, then: 

1. F with T made usable, written Fusing is constructed from F by replacing all assumptions of the 
form [o — 6\ in F with o — 5 for every o € *P. 

2. F with Y made hidden, written F hiding is constructed from F by replacing all assumptions of 
the form o — 5 inT with [o = 6\ for every o € 4^. 

A sequence of binders (3 in the TLA^^ expressions V/3 : e or 3/3 : e can be reflected as assumptions. 

Definition 15 (Binding Reflection). If^ is a list of binders with each element of the form xor xee, then 
the reflection of/3 as assumptions, written ||/3||, is given inductively as follows. 

||'|| = ' ||y6,;c|| = ||yS||,NEw;c ||yS,;c e e|| - ||yS||,NEWA;,;c £ e 

A.2 Interpreting Proofs 

Let us recall some definitions from section [3] 

Definition 16 (Claims and Transformations). A claim is a judgement of the form n : (F \\- e) where n is a 
TLPt^- proof. A transformation is a judgement of the form o". r : (F ih e) — > (A ih /) where cr is a begin- 
step token and t a proof step. A claim (respectively, transformation) is said to be complete if its proof 
(respectively, proof step) does not contain any occurrence of the leaf proof omitted. 

The PM generates leaf obligations for a claim using two mutually recursive procedures, checking and 
transformation, specified below using the formalism of a primitive derivation. 
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Definition 17. A primitive derivation is a derivation constructed using inferences of the form 



{n>0) 



where E is either a claim or a transformation, and Di are primitive derivations or obligations. 
An obligation at the leaf of a primitive derivation is called a leaf obligation. 

Definition 18 (Checking and Transformation). The primitive derivations of a claim or transformation 
are constructed using the following checking and transformation rules. 
1. Checking rules 

(r Ih e) 

OBVIOUS OMITTED 

OBVIOUS : (r ih e) omitted : (F Ih e) 

(0) . USE O DEFS ^l' : (r Ih e) — ^ (A ih /) (A ih /) 
BY DEFS : (F Ih e) 

7r:(Flhe) cr. r : (F Ih e) — ^ (A Ih /) H : (A Ih /) 

^ ' QED — — non-QED 



Cr. QED PROOF TT : (F Ih e) CT. T FI : (F Ih e) 

2. Transformation 

cr. USE O : (Fusing*!' ih e) — > (A Ih /) 



cr. USE <1) DEFS : (F Ih e) — > (A Ih /) 
cr. HIDE <1) : (F Ih e) — > (A ih /) 



USE DEFS 



HIDE DEFS 



cr. HIDE CD DEFS : (F Ih g) > (A HIDING ^' Ih /) 

DEFINE (o ^ F) 

cr. DEFINE o - 5:{T ¥ e) — > (F, [o - 6\ Ih e) 



USE() HIDEO 



cr. USE-: (F Ih e) — > (F ih e) cr. hide-: (F Ih e) — > (F ih e) 

cr. USE <t> ; (F Ih e) — > (A ih /) (A, Fq ih eo) 



cr. USE O, (Fo Ih eo) : (T Ih e) — > (A, (Fq ih eo) ih /) 
cr. HIDE <t> : (Fo, [4>] , Fi ih e) — > (A ih /) 



USEi 



cr. HIDE ^,(f> : (Fo,0,Fi Ih e) — > (A ih /) 



HIDEl 



TAKEo WITNESSo 



TAKE2 



cr. TAKE*: (F Ih e) — > (F ih e) cr. witness*: (F ih e) — > (F ih e) 

cr. TAKE B : (F,NEWM Ih e[x : - m]) — > (A Ih f) 

^ — TAKEi 

cr. TAKE u,/3 : (F Ih Vx : e) — > (A ih /) 

(F ih S c T) cr. TAKE y6 : (F,NEWM,M e T ih e[x := u]) — > (A ih /) 
0-. TAKE u e tJ: (F Ih Vx e 5 : e) — » (A ih /) 
cr. WITNESS Q : (F Ih e[x := wl) — > (A ih f) 

^ — WITNESS 1 

cr. WITNESS w, Q : (F Ih 3x : e) — > (A ih /) 

{ThTQS) (Fihwer) cr. WITNESS Q:(F,wer lhe[x:=w]) — >(Aih/) 
cr. WITNESS w e r, Q : (F Ih 3x E 5 : e) — > (A ih /) 

(r,eih g) 

HAVE 

cr. HAVE g : (F Ih e ^ /) ^ {T,g ih /) 
;r:(F,he],Aih/) 



WrTNESS2 



(n> . (A ih /) PROOF TT : (F Ih e) — > (F, (A ih /) ih e) 



ASSERTi 
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7r:(r,(«>/^(A lh/),he],All-/) 



ASSERT2 



{n)l. (Aih/) prooftt: (rihe)^ (r,(«)/ = (A Ih /),[<«>/] ih e) 

cr. {g Ih e) PROOF ;r : (r Ih e) — > (A ih /) 

^ Tk FT CASE 

cr. CASE g PROOF TT : (r Ih e) > (A Ih / ) 

7r:(r,(A Ih /) Ih e) 

— SUFFICE 

(n> . SUFFICES (A Ih /) PROOF TT ! (F Ih e) — > (F, [-le] , A Ih /) 

7r:(F,(«)/ = (A Ih /),[<«>/] Ih e) 
{n) I. SUFFICES (A Ih /) PROOF TT ! (F Ih g) — > (F, («) / = (A Ih /) , [-le] , A Ih /) 



The inference rules in the above definition are deterministic: the conclusion of each rule uniquely de- 
termines the premises. However, the rules are partial; for example, there is no rule that concludes a 
transformation of the form cr. take x^S : (F ih B A C) — > (A ih /). 

Definition 19. A claim or a transformation is said to be meaningful if it has a primitive derivation. 

Definition 20 (Generating Leaf Obligations). A meaningful claim or transformation is said to generate 
the leaf obligations of its primitive derivation. 

In the rest of this appendix we limit our attention to complete meaningful claims and transformations. 
A.3 Correctness 

If the leaf obligations generated by a complete meaningful claim are provable, then the obligation in the 
claim itself ought to be provable. In this section we prove this theorem by analysis of the checking and 
transformation rules. 

Definition 21 (Provability of Claims and Transformation). 

1. The claim tt : (F Ih e) is provable ijfit is complete and meaningful and the leaf obligations it gener- 
ates are all provable. 

2. The transformation ct.t :(Y Ih e) — > (A Ih /) is provable ijf it is complete and meaningful and the 
leaf obligations it generates are all provable. 

Theorem 22 (Correctness). 

(1) If 7T : {r h e) is provable, then (F Ih e) is provable. 

(2) 7/'o".T : (F Ih e) — > (A ih /) is provable and (A ih /) is provable, then (F ih e) is provable. 

Proof. Let D be the primitive derivation for the claim in (1) and let £ be the primitive derivation for the trans- 
formation in (2). The proof will be by lexicographic induction on the structures of D and £, with a provable 
transformation allowed to justify a provable claim. 
(1)L If TT : (F Ih e) is provable, then (F Ih e) is provable. 



TT 



:(Fih3;^:/,) 




PICK 



<2)1 



Case n is obvious, i.e., T) — obvious. 

OBVIOUS : (F Ih e) 

Case n is omitted is impossible because tt : (F Ih e) is complete. 



Obvious 



(2)2, 



(2)3 



Case ;r is BY O dees *F, i.e.. 



(0) . use (D defs »P : (F Ih e) — > (A ih /) 



(A Ih/) 



BY <1) DEFS *F : (F Ih e) 



BY. 
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(3)1. (A ih /) is provable By Definition [2T] 

(3)2. Qed By (3)1, i.h. (inductive hypothesis) forfio- 

(2)4. Case n is ct.qed proof ttq, i.e., D ^0 ■ II- e) . 

o". QED proof ttq I (i IH e) 

(2)5. Cflie TT is cr.T IT, i.e.. 

So £>o 

cr.r : (r ihe)^ (A Ih/) n:(Aih/) 

2) = ■ — non-QED. 

cr.T n : (r IH e) 

(3)1. (A IH /) is provable By i.h. for Dq. 

(3)3. Qed By (3)1, i.h. for£o- 

(2)6. Qed By (2)1, (2)5. 

(1)2. If cr.T : (r IH e) — > (A IH f) is provable and (A IH /) is provable, then (F IH e) is provable. 
(2)1. Cflie T is USE <I> DEES "P, i.e.. 

So 

^ cr. USE <1) : (Fusing IH e) — >(AlH/) 

^ — USE DEES 

CT. USE O DEES 'I' : (r IH g) > (A IH /) 

(3)1. (Fusing*!' IH e) is provable By i.h. for £o- 

(3)2. Qed By(3)l,Definition[Il] 

(2)2. Case t is hide O dees ^F, /.e.. 

So 

g _ CT. HIDE (J : (F IH e) — > (A IH /) 

CT. HIDE O DEES ^ ! (F IH e) > (A HIDING*!' IH /) 



HIDE DEES. 



(3)1. (A IH /) is provable By provability of (A hiding *!* IH /) and Definition [T4l 

(3)2. Qed By (3)1, i.h. forfio- 

(2)3. Case t is define o = 6 with o iT, i.e., 

£ = 7 ; — F ^ r DEFINE. 

CT. DEFINE o = 5 : (F IH e) — > (F, [o — 6\ IH e) 

(3)1. o is not free in e By o ^ F and closedness of (F IH e). 

(3)2. Qed By (3)1. strengthening (FactfTTTi. 

(2)4. Ca^e T is USE', i.e., £ = useq. Obvious 

0-. usE-:(FlHe) — > (F IH e) 

(2)5. Cflie T is hide*, i.e., £ = hideq. Obvious 

cr. HIDE': (F IH e) — > (F IH e) 

(2)6. Cfl^e T is USE <l>,(/i, /.e.. 

So _ 
0-. USE O : (F IH e) — >(AoIH/) (Ao,FoiHeo) 

0-. USE (D, (Fo IH eo) : (F IH e) — » (Aq, (Fq ih eo) IH /) 

(3)1. (Ao,Fo IH eo) is provable By Definition 1211 

(3)2. (Ao,Fo iHeo) is provable By (3)1, Definitiong] 

(3)3. (Ao IH /) is provable By provabiUty of (Ao,(Fo IH eo) IH /), (3)2, cut (Fact[T2li. 

(3)4. Qed By(3)3, i.h. for£o 



(2)7. Case T is HIDE 0,(^, /.e.. 



So 

CT. HIDE <D : (Fo, [(f>] , Fi IH e) (A IH /) 

O — HIDE 2 . 

cr. HIDE (i>,<p : (Fo,0,Fi IH e) — > (A IH /) 
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(3)1. (Fq, [</>], Pi It- e) is provable 
(3)2. Qed 

(2)8. Case T is TAKE', /.e., fi = 
(2)9. Case r is witness •, i.e., & 

(2)10. Case T is TAKE ;.e.. 



By provability of (A ii- /), i.h. for £o- 
By (3)1, (Fo, M ,ri ih = {Tq^Jx ih (DefinitionH. 



cr. TAKE-: (r Ih e) — > (r Ih e) 



TAKEq. 



cr. WITNESS • : (r Ih e) — > (F ih e) 



fio 



WITNESSq. 



Obvious 
Obvious 



cr. TAKE p : (r,NEWM Ih e[x := m]) > (A Ih /) 

£ TAKEi . 



cr. TAKE M,yS : (r Ih Vjc : e) — > (A Ih /) 



(3)1. (r,NEWM Ih e[x :- u]) is provable 
(3)2. Qed 

(2)1 1. Case r is cr. take u e T, i.e., 



By i.h. for fio- 
By (3)1 and predicate logic. 



(r Ih 5 c T) cr. TAKE : (F, NEW M, M £ T Ih e[x m]) — > (A ih /) 

£ — ^ TAKE2. 



cr. TAKE u 6 r,j6 : (r Ih Vx € 5 : e) — > (A ih /) 



(3)1. (r,NEWM,K € r Ih e[x := m]) is provable 
(3)2. (r, NEW M,M eS Ih M 6 r) is provable 

(4)1. (r,NEWM ih 5 c J) is provable 

(4)2. Qed 

(3)3. (F, NEW M,M E 5 Ih e[x := m]) is provable 
(3)4. Qed 

(2)12. Case T is WITNESS w,Q, i.e.. 



By i.h on fio. 



By Definition |2T1 weakening (Fact|9|l. 

By (4)1, Definition of c. 
By (3)1, (3)2, cut (FactfEll. 
By (3)3 and predicate logic. 



„ o". WITNESS : (F Ih e[x := vvl) — > (A ih f) 

&- — WITNESS 1. 

cr. WITNESS w, Q : (F Ih 3x : e) — > (A ih /) 



(3)1. (F Ih e [x : = w] ) is provable 
(3)2. Qed 

(2)13. Case T is WITNESS w e r, Q and: 



By i.h. for fio. 
By (3)1. 



6o 



^ (Fihrc5) (Fihwer) cr. WITNESS Q:(F,w€r lhe[x:=w]) — >(Aih/) 

B- — WITNESS2. 

cr. WITNESS w e r, n : (F Ih 3x e 5 : e) — > (A ih /) 



(3)1. (F, w e r Ih e[x := w]) is provable 
(3)2. (F Ih w e T) is provable 
(3)3. (F Ih e[x := w]) is provable 
(3)4. (F Ih w € 5) is provable 

(4)1. (F, w € r Ih w e 5 ) is provable 

(4)2. Qed 
(3)5. Qed 



By i.h. for fio. 
By Definition |2T] 
By (3)1, (3)2, cut (Fact[T2li. 

By Definition l2n Definition of c. 

By (4)1, (3)2, cut (Fact[l2li. 
By (3)3, (3)4, and predicate logic. 



(2)14. T is HAVE g, i.e.. 



6 = 



(F,elh; 



0-. HAVE g : (F Ih e ^ /) ^ {Y,g ih /) 



(3)1. (F,e,^ Ih /) is provable 
(3)2. (F,e Ih g) is provable 



By weakening (Fact|9]l. 
By Definition [2T] 
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(3)3. (r,eii-/) is provable 
(3)4. (r ih e => /) is provable 

(2)15. cr. T is («) . (Q ih g) PROOF n, i.e., 



By {3)1, (3)2, cut (Faa\T^. 

By (3)3. 



Do 

n : (r, [-le] ,f2 Ih ; 



(«) . {Q. Ih g) PROOF TT ; (r Ih e) ■ 

(3)1. (r, [-le] , (Q Ih ^) Ih e) is provable 

(3)2. (r, [-.e] ,Q Ih g) is provable 

(3)3. (r, [-.e] Ih e) is provable 

(3)4. Qed 



(r,(fi ihg)ih e) 



ASSERT]. 



By weakening (Fact|9]l. 
By i.h. for Dq. 
By (3)1, (3)2, cut (Fact[l2li. 

By (3)3, Fact[T3] 



(2)16. Ca.se cr.r is (n)/. (O Ih g) proof ;7r, i.e., 



£•0 



;r:(r,(«)/^(n ih^),he],Qih 



ASSERT2. 



(«)/. (Q Ih PROOF TT : (r Ih e) (r,(n)Z = (Q Ih , [(«)/] Ih e) 

(3)1. (r,(«)Z = (Qih§),[^e], [(«)/] Ih e) is provable 

By provability of (F, («)/ = (Q Ih g) , [(«)/] Ih e), weakening (Fact|9]l. 

(3)2. (r,(n)/ = (Q Ih g),[^e] , [(Q Ih g)] Ih e) is provable By (3)1, expansion (FactfTOli. 

(3)3. (r,(n)/ = (Qlhg),[-.e],Qlh^) is provable By i.h. for Do- 

(3)4. (F,(n)/ = (O Ih g), [-e] ih e) is provable By (3)2, (3)3, cut (Fact[l2li. 

(3)5. (F, [-le] Ih e) is provable By (3)4, strengthening (FactfTTTi. 

(3)6. Qed By (3)5, FactO 



(2)17. T is CASE g PROOF TT, i.e.. 



£o 

cr. Ih e) PROOF TT : (F Ih e) — > (A ih /) 

(A Ih/) 



(2)18. 



O". CASE g PROOF TT : (F Ih e) ■ 

By i.h. for £o- 

T is («) . SUFFICES (Q. Ih ^) PROOF TT, i.e.. 



CASE. 



n:{r,{Q. Ihg) Ihe) 



SUFFICES 1 . 



(«) . SUFFICES (A Ih /) PROOF /T I (F Ih e) — > (F, [-ie] , Q Ih g) 

(3)1. (F, [-le] Ih Ih e) is provable By i.h. for Do, weakening (Fact|9]l. 

(3)2. (F, [-.e] Ih e) is provable By provability of (F, [-.e] ,Q ih g), (3)1, cut (Fact[T2]|. 

(3)3. (2ec/ By (3)2, Factini 



(2)19. Cr.T is (n)/. SUFFICES (Q Ih g) PROOF TT, i.e., 



Go 



;r:(F,(«)Z^(Q ihg), [(«)/] ih e) 



SUFFICES 2. 



(«) /. SUFFICES (Q Ih PROOF 71 : (F Ih e) — > (F, («) / = (Q Ih , [-le] , Q ih 

(3)1. (F,(«)/ = (Qlhg),[-.e], [(«)/] Ihe) is provable By i.h. for Do, weakening (Fact IS . 

(3)2. (T,{n)l = (Q Ih g),[-^e] , [(Q ih g)] ih e) is provable By (3)1, expansion (FactfTOli. 

(3)3. (F,(n)/ = (O Ih g),[^e] ih e) is provable 

By (3)2, provability of (F, («) Z = (Q ih g) , [-.e] , Q ih ^), cut (FactlHli. 
(3)4. (F, [-le] Ih e) is provable By (3)3, strengthening (FactfTTli. 

(3)5. Qed By (3)4, FactO 



(2)20. Case r is pick /3 : p proof ;7r, i.e.. 



Do ^ 
TT : (f Ih 3yS : p) 



cr. pick j6 : p proof tt : (F Ih e) — > (f, ih e) 



PICK. 
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(3)1. (r,3j6 : p IH e) is provable 
(3)2. (r ih 30 : p) is provable 
(3)3. Qed 



(2)21. Qed 
(1)3. Qed 



By provability of {y, \\P\\,p ii- e), predicate logic. 

By i.h. for Do. 
By (3)1, (3)2, cut (Fact[l2li. 

By (2)1, (2)20 
By (1)1, (1)2. 

□ 



A.4 Constrained Search 

The correctness theorem (l22l) establishes an implication from the leaf obligations generated by a com- 
plete meaningful claim to the obligation of the claim. It is always true, regardless of the provabiUty of 
any individual leaf obligation. While changing the visibility of assumptions in an obligation does not 
change its provability, a back-end prover may fail to prove it if important assumptions are hidden. As 
already mentioned in Section [3l the PM removes these hidden assumptions before sending a leaf obli- 
gation to a back-end prover. Therefore, in order to establish the Structural Soundness Theorem ([T]), we 
must prove a property about the result of this removal. 

Definition 23 (Filtration). The filtered form of any obligation (p, written {(p)^, is obtained by deleting 
all assumptions of the form [0o] cifid replacing all assumptions of the form [o = 6] with newo anywhere 
inside (p. 

For example, (new a:, [y = ;c] ih = y)^ = (NEWA:,NEwy \\- x = y). We thus see that filtration can render a 
true obligation false; however, if the filtered form of an obligation is true, then so is the obligation. 

Lemma 24 (Verification Lemma). If{4>)f is provable, then <p is provable. 

Proof Sketch. By induction on the structure of the obligation cp, with each case a straightforward conse- 
quence of facts [8] and |9l □ 

Definition 25 (Verifiability). The obligation cp is said to be verifiable if{4>)f is provable. 

We now prove the Structural Soundness Theorem ([D. 

Theorem 1. Ifn : (p is a complete meaningful claim and every leaf obligations it generates is verifiable, 
then (p is true. 

Proof. 

(1)1. For every leaf obligation generated hy n : <p, it must be that (f>o is provable. 
(2)1 . Take (pQ as a leaf obligation generated by tt : 0. 

(2)2. (0o)f is provable By assumption and Definition |25] 

(2)3. Qed By (2)2, Verification Lemma l24l 

( 1 )2. (pis, provable By ( 1 ) 1 , Correctness Theorem |22] 

(1)3. Qed By (1)2, Trust AxiomH 
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B A TLA+^ Proof of Cantor's Theorem 

The following is the complete TLA^^ proof of Cantor's theorem referenced in Section [231 
THEOREM : V/ € [5 — > SUBSET 5 ] : 3A 6 SUBSET S : Vx € 5 : f[x] + A 

(1)1. ASSUME NEW S , 

NEW f e[S ^ SUBSET S ] 

PROVE 3A 6 SUBSET 5 : Vx 6 5 : f[x] + A 

(2)1. DEFINEr = {z6 5 :Z^/[Z]} 

(2)2. Vx 6 5 : /[x] + T 

(3)1. ASSUME NEW X G 5 PROVE /[x] + T 
(4)1. CASE X e r OBVIOUS 

(4)2. CASE X ^^ r obvious 
(4)3. qedby(4)1, (4)2 
(3)2. qedby(3)1 
(2)3. qedby(2)2 
(1)2. qedby(1)1 

As an example, the leaf obligation generated (see Appendix IA.3I ) for the proof of (4)1 is: 
( (1)1 =(new5 ,NEw/,/ e [5 — » subset 5] ih 3A e subset 5 : Vx e 5 : /[x] A), 

NEWS', 

new/, / e [5 — > SUBSET S ], 

[^(3A e SUBSET 5 ; Vx e 5 : /[x] A)], 

(2) 2 = Vx e 5 : /[x] r, 
h(Vxe5:/[x]^r)], 

(3) 1 = (newx,x 6 5 ih /[x] 5i r), 
NEwx, X e 5, 
hif[x]*T)l 

(4) l^(xerih/[x]^r), 

x6 r 

Ih /[x] i=T). 

Filtering its obligation (see Definition |23]) and expanding all definitions gives: 

^ NEW S , 
new/, / E [5 — > SUBSET 5 ], 

NEW X, X e 5 , 

xe{zeS:zif[z]}\^f[x]^{zeS:zif[z]}). 
In Isabelle/TLA^ , this is the following lemma: 
lemma f\S. 

A/. /€ [5 ^SUBSET 5]^ 

{Ax.lxeS; 

x€{zeS :zif[z]}l^f[x]^{zeS:zif[z]}) 
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